Configuring Kerberos Network Application Servers

Network application servers are hosts that provide access using one
or more of the following network applications: ftp, rcp, rlogin, rsh, ssh,
and telnet. Only a few steps are required to enable the
Kerberos version of these commands on a server.

How to Configure a Kerberos Network Application
Server

This procedure uses the following configuration parameters:

Application server = boston

admin principal = kws/admin

DNS domain name = example.com

Realm name = EXAMPLE.COM

Before You Begin

This procedure requires that the master KDC has been configured. To
fully test the process, several Kerberos clients must be configured.

(Optional) Install the NTP client or another clock
synchronization mechanism.

If the command does not return a principal, then create new principals
using the following steps.

How to use the Graphical Kerberos Administration Tool to add a principal
is explained in How to Create a New Kerberos Principal. The example in the following steps shows how to add the
required principals using the command line. You must log in with one of the admin principal names that you created when configuring the master
KDC.

To authenticate traffic when using the remote commands, such
as rsh and ssh.

By pam_krb5 to prevent KDC spoofing attacks
by using the host principal to verify that a user's Kerberos
credential was obtained from a trusted KDC.

To allow the root user to automatically
acquire a Kerberos credential without requiring that a root principal
exist. This can be useful when doing a manual NFS mount where the share requires
a Kerberos credential.

This principal is required if traffic using the remote application is
to be authenticated using the Kerberos service. If the server has multiple
hostnames associated with it, then create a principal for each hostname using
the FQDN form of the hostname.